Source from repo

Microsoft Foundry Skill

Deploy, evaluate, and manage AI agents end-to-end on Microsoft Azure AI Foundry

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

546.6 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

resource/private-network/references/post-deployment-validation.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown94 linesFree

resource/private-network/references/post-deployment-validation.md

1# Post-Deployment Validation
2 
3Run after deployment succeeds. Steps 1-3 can run from anywhere (management plane). Steps 4-5 require VNet access.
4 
5## 1. Infrastructure Verification
6 
7### 1.1 Resource State
8 
9Verify all resources are in `Succeeded` state:
10 
11```bash
12az deployment operation group list \
13  --resource-group <rg> --name <deployment-name> \
14  --query "[].{resource:properties.targetResource.resourceType,state:properties.provisioningState}" -o table
15```
16 
17### 1.2 Private Endpoint Connections
18 
19Verify all PE connections are `Approved`:
20 
21```bash
22az network private-endpoint list \
23  --resource-group <rg> \
24  --query "[].{name:name,status:privateLinkServiceConnections[0].privateLinkServiceConnectionState.status,resource:privateLinkServiceConnections[0].groupIds[0]}" -o table
25```
26 
27### 1.3 Public Network Access Audit
28 
29Verify all resources have public access disabled:
30 
31```bash
32az cognitiveservices account show --name <ai-account> --resource-group <rg> \
33  --query "properties.publicNetworkAccess" -o tsv
34 
35az cosmosdb show --name <cosmos-account> --resource-group <rg> \
36  --query "publicNetworkAccess" -o tsv
37 
38az storage account show --name <storage-account> --resource-group <rg> \
39  --query "publicNetworkAccess" -o tsv
40 
41az search service show --name <search-service> --resource-group <rg> \
42  --query "publicNetworkAccess" -o tsv
43```
44 
45All should return `Disabled`.
46 
47> **T10 (Private Basic):** Steps 2-5 below do not apply — T10 has no agents, no capability host, and no BYO resources. Setup is complete after Step 1.
48 
49## 2. RBAC Role Assignment (no VNet required)
50 
51The template does not assign data-plane roles automatically.
52 
53Assign `Azure AI Developer` at the **account** scope (management-plane):
54 
55```bash
56az role assignment create \
57  --role "Azure AI Developer" \
58  --assignee <your-object-id-or-email> \
59  --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<ai-account-name>
60```
61 
62Assign `Azure AI User` at the **project** scope (data-plane — required for `agents/read`, `agents/write`):
63 
64```bash
65az role assignment create \
66  --role "Azure AI User" \
67  --assignee <your-object-id-or-email> \
68  --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<ai-account-name>/projects/<project-name>
69```
70 
71> ⚠️ RBAC propagation can take 1–5 minutes.
72 
73## 3. Deploy a Model (no VNet required)
74 
75```bash
76az cognitiveservices account deployment create \
77  --resource-group <rg> \
78  --name <ai-account-name> \
79  --deployment-name <deployment-name> \
80  --model-name <modelName> \
81  --model-version <modelVersion> \
82  --model-format <format> \
83  --sku-name GlobalStandard \
84  --sku-capacity 50
85```
86 
87Fall back to `Standard` SKU if `GlobalStandard` quota is exhausted.
88 
89---
90 
91## 4. VNet Access & End-to-End Test
92 
93For the remaining steps (VNet access setup, DNS resolution, agent lifecycle test, isolation proof, cleanup), read [end-to-end-test.md](end-to-end-test.md).
94

Loading source

Preparing the source view

Pulling the file list, source metadata, and syntax-aware rendering for this listing.

Marketplace

Source from repo

Microsoft Foundry Skill

Deploy, evaluate, and manage AI agents end-to-end on Microsoft Azure AI Foundry

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

546.6 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

resource/private-network/references/post-deployment-validation.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown94 linesFree

resource/private-network/references/post-deployment-validation.md

1# Post-Deployment Validation
2 
3Run after deployment succeeds. Steps 1-3 can run from anywhere (management plane). Steps 4-5 require VNet access.
4 
5## 1. Infrastructure Verification
6 
7### 1.1 Resource State
8 
9Verify all resources are in `Succeeded` state:
10 
11```bash
12az deployment operation group list \
13  --resource-group <rg> --name <deployment-name> \
14  --query "[].{resource:properties.targetResource.resourceType,state:properties.provisioningState}" -o table
15```
16 
17### 1.2 Private Endpoint Connections
18 
19Verify all PE connections are `Approved`:
20 
21```bash
22az network private-endpoint list \
23  --resource-group <rg> \
24  --query "[].{name:name,status:privateLinkServiceConnections[0].privateLinkServiceConnectionState.status,resource:privateLinkServiceConnections[0].groupIds[0]}" -o table
25```
26 
27### 1.3 Public Network Access Audit
28 
29Verify all resources have public access disabled:
30 
31```bash
32az cognitiveservices account show --name <ai-account> --resource-group <rg> \
33  --query "properties.publicNetworkAccess" -o tsv
34 
35az cosmosdb show --name <cosmos-account> --resource-group <rg> \
36  --query "publicNetworkAccess" -o tsv
37 
38az storage account show --name <storage-account> --resource-group <rg> \
39  --query "publicNetworkAccess" -o tsv
40 
41az search service show --name <search-service> --resource-group <rg> \
42  --query "publicNetworkAccess" -o tsv
43```
44 
45All should return `Disabled`.
46 
47> **T10 (Private Basic):** Steps 2-5 below do not apply — T10 has no agents, no capability host, and no BYO resources. Setup is complete after Step 1.
48 
49## 2. RBAC Role Assignment (no VNet required)
50 
51The template does not assign data-plane roles automatically.
52 
53Assign `Azure AI Developer` at the **account** scope (management-plane):
54 
55```bash
56az role assignment create \
57  --role "Azure AI Developer" \
58  --assignee <your-object-id-or-email> \
59  --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<ai-account-name>
60```
61 
62Assign `Azure AI User` at the **project** scope (data-plane — required for `agents/read`, `agents/write`):
63 
64```bash
65az role assignment create \
66  --role "Azure AI User" \
67  --assignee <your-object-id-or-email> \
68  --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<ai-account-name>/projects/<project-name>
69```
70 
71> ⚠️ RBAC propagation can take 1–5 minutes.
72 
73## 3. Deploy a Model (no VNet required)
74 
75```bash
76az cognitiveservices account deployment create \
77  --resource-group <rg> \
78  --name <ai-account-name> \
79  --deployment-name <deployment-name> \
80  --model-name <modelName> \
81  --model-version <modelVersion> \
82  --model-format <format> \
83  --sku-name GlobalStandard \
84  --sku-capacity 50
85```
86 
87Fall back to `Standard` SKU if `GlobalStandard` quota is exhausted.
88 
89---
90 
91## 4. VNet Access & End-to-End Test
92 
93For the remaining steps (VNet access setup, DNS resolution, agent lifecycle test, isolation proof, cleanup), read [end-to-end-test.md](end-to-end-test.md).
94